The Dog That Did Not Bark, the Dog That Did Bark, and the Dog That Should Have Barked: A Methodology for Cyber Deterrence Research

The study of deterrence presents a number of challenges, mainly to do with identifying deterrence success and defining how deterrence works. Studying cyber deterrence presents even greater challenges, as traditional deterrence challenges are exacerbated and interactions in the cyber domain create further difficulties. When studying cyber deterrence, scholars face uncertainty not only in identifying situations of deterrence success, but also—due to the secrecy surrounding cyber practices—in identifying situations of deterrence failure. Despite the many studies on cyber deterrence, methodological solutions to address these challenges still need to be developed. To this end, I suggest focusing on the adoption and employment of the strategy rather than on its success. I argue that since communicating threats is a core element of deterrence, it is easier to observe how the strategy is adopted and employed than whether it succeeds or fails. This focus provides a promising direction to study cyber deterrence and address these challenges.

Deterrence in the Cyber Realm: Public versus Private Cyber Capacity

Can cyber deterrence work? Existing scholarly works argue that deterrence by punishment using cyberattacks is ineffective because the difficulty of attributing the origin of cyberattacks makes the threat of future attacks less credible. However, these works have told us relatively little about the deterrence ability of public cyberinstitutions (PCIs), defined as publicly observable proactive efforts aimed at signaling a country’s level of cyber offensive and defensive capability. This research shows that middle powers (that have scarce cyber arsenals) can use PCIs to deter cyber attacks that cause significant damage to their economy and prosperity; however, this deterrent capability is rather limited. Using an incomplete-information model, we demonstrate that PCIs only deter adversaries that are susceptible to the costs created by these institutions. Despite this limited deterrence ability, middle powers tend to over-invest resources in these cyberinstitutions: Weak cyber states tend to over-invest to convince strong cyber adversaries that they are strong, whereas strong cyber states over-invest so that adversaries do not believe that they are weak states pretending to be strong. By doing so, states reduce their overall cybercapacity. We establish the empirical plausibility of these results using election interference campaigns as examples of strategic attacks. Our focus on the strategic use of PCIs as a deterrent represents a departure from existing literature—which has focused only on cyberoperations—and has important policy implications.

Cyber Deterrence: The Past, Present, and Future

The question on whether and how deterring an adversary in or through cyberspace is feasible has provoked the minds of scholars and practitioners for decades. Today, cyber deterrence remains a quintessential anchoring concept for the political debates on cyber policy. However, does the concept of deterrence in cyberspace have a future when for almost three decades little to no seemingly feasible practical solutions nor an academic consensus have emerged? The purpose of this chapter is to situate the current debate on cyber deterrence within the historical evolution of deterrence thinking in cyberspace, clarify the existing conceptualizations, and comprehensively discuss whether the concept of cyber deterrence has an analytical future. We argue that the future deterrence debate can move into four directions: increased incorporation of cyber deterrence as an element within the broader international security and contest in a multi-domain world. A deeper focus on the technical aspects of the cyber domain to achieve deterrence effects on the operational and tactical level. A closer analysis of compellence, as the alternative form of coercion. And an exploration of new strategic concepts that seeks to contain and blunt adversarial aggression in cyberspace that stands apart from traditional deterrence thinking.

Evolving Toward a Balanced Cyber Strategy in East Asia: Cyber Deterrence or Cooperation?

This paper investigates the limits of implementing a cyber deterrence strategy in East Asia. Given that national security documents from both Taiwan and Japan indicate the need to deter state-sponsored cyberattacks, there is very little literature that empirically and theoretically investigates the utility of such an approach in this region. This paper looks into the various deterrence constructs and argues that none of them can be implemented without problems. The paper looks further into a deeper level of the conceptual issues upon which deterrence thinking is based and argues that an alternative strategy promoting regional cooperation is not only possible but also desirable in the current political climate. It is later concluded that looking for a one-size-fits-all solution is idealistic, and policymakers should develop security countermeasures that align with the threats posed by the actors they wish to confront.